New intuitive web-based interface allows multi-user access London, UK – November 2016 – Acunetix, the pioneer in automated web application security software, has announced the release of version 11. New integrated vulnerability management features extend the enterprise’s ability to comprehensively manage, prioritise and control vulnerability threats – ordered by business criticality. Version 11 includes a […]

The majority of reported WordPress database security attacks were performed by exploiting SQL Injection vulnerabilities. By renaming the WordPress database table prefixes you are increasing the security of your WordPress blog and website from zero day SQL injections attacks.

WordPress Database Security: The Prefix Guessing Game

By default, all WordPress database tables’ names start with the prefix “wp_” as shown in the screen shot below.

If a malicious user discovers a zero day SQL injection vulnerability in WordPress (which does happen from time to time), unless you rename the WordPress database table prefixes to something else, the malicious user can easily guess the WordPress database table names and exploit the vulnerability against your blog or website. To make things worse, there are a myriad of scripts and automated scanners available on the internet that specifically scan and target WordPress blogs and websites. If a malicious user exploits such vulnerability against your blog or website, he can:

Gain administrative access to your blog.

Tamper your blog and website.

Gain access to other sensitive databases on that server.

Gain administrative access to your web server.

Therefore by renaming the WordPress database table prefixes, you are automatically enforcing your WordPress database security against such dangerous attacks because the attacker would not be able to guess the table names. We recommend to use difficult to guess prefixes, like long random strings which include both letters and numbers.

Share this post

Post navigation

To use your WP Security Scan tool to change the names of the table files I need to type in the names of the table files I want to change, is there a master list somewhere of what all the file names are?

I see 11 different files in your sample, is that all of them? How do I know which files are table file and files I need to rename?

I have a wordpress install that has well over 40 subdomains membersite on a multisite install all using a central theme and so if I rename the wp_ to something else will it break the system and is there a way I can do the renaming so as not to break the site?

Thank you for showing interest in our products. Unfortunately the database table prefix renaming tool does not support multisite installs yet. We are working on a solution. Follow us on our blog or any of our social media networks to stay updated with our updates.

Yes it is wrong presumption. It depends on what access the user being used to access the WordPress database has. If you use the root account, then yes, unfortunately the malicious user will have access to all other databases. If you use a specific user just for the WordPress database, then you are safe.

The attacker can brute force the table names, so it’s still security by obscurity. Maybe you can delay the full access to the tables by some seconds, not even minutes.

As my job as developer I have tested some of these SQLi tools, to learn how they work. These tools automate the hole attack, after you gave them a vulnerable URL. As normal db user the table names were also determined quickly by brute force.

The whole point of renaming the tables is to make it more difficult for malicious users to exploit a 0 day SQL injection against your WordPress installation, not to protect yourself when a user already exploited the SQL injection. Prevention is always better than cure.

I have a WP e-commerce installation that I have spent the last few months setting up. Are there any potential problems with changing the table prefix? If there is even a risk then it may not be worth it at this time.

In response to the comment about brute force hacking of the obscure prefix. No plugin shuts all the doors on its own. In addition to this rather neat scripot I also use something like Limit Login Attempts. This does at least slow the hacker’s access to a crawl unless he’s got unlimited proxies 😉

Why would changing the prefix stop a hacker? It wouldn’t.
If they can gain access to the wp-config.php file and connect to the database using a plugin or similar method then all it would take is a simple show tables mysql command to see the table names.

Security through obscurity is risky and leads people into a false sense of security. You’re probably better off securing / locking down portions of your site to prevent abuse.

This security precaution is not a protection for when a hacker gains access to your wp-config file and neither is security through obscurity. This procedure will only protect you from zero day SQL injections. So if a hacker manages to exploit a zero day SQL injection against your WordPress site, he cannot simply predict the table names and retrieve all the data from your database but have to guess the table names. As you can see this is an extra precaution you can take for making sure your WordPress is bullet proof 🙂

A zero day SQL Injection attack exploits an SQL Injection vulnerability that exists on a web application and of which there was no awareness of it before. That means no security measures were applied against it. Thus, in case this vulnerability is exploited, by changing the table prefix of the WordPress database the attacker will have to guess the table names before accessing them. So, even if the attacker exploits the vulnerability to gain access to the WordPress database, the attacker has to guess the table names as well before gaining access to the database data.

It is my understanding that Google and Word Press have had or are in heated discussions/disagreements with each other.

And as such Google have downgraded most if not all WordPress sites (including mine) through their Panda and Penguin updates to search engine obscurity, that is traffic to our websites have greatly reduced!

Would installing the WebsiteDefender plugin which allows the wordpress database tables with the “wp_” prefix to be changed to something else increase our website rankings as well as securing our websites from malicious attacks ?

That should be fine, as long as you change the names which are used by wordpress by default. Attackers will try to guess the names of the databases using the default names. The ‘random’ characters you inserted in the names of the tables should stop such attacks.